Amazon Detective Documentation

Amazon Detective is designed to analyze, investigate, and identify the root cause of potential security issues or suspicious activities. Amazon Detective collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to conduct faster and more efficient security investigations.

Amazon Detective can analyze events from multiple data sources such as Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and security findings from multiple services like Amazon GuardDuty, AWS Security Hub, and more. Detective creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize relevant details and context in one place to help you identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Amazon Detective ingests and processes relevant data from your enabled accounts. Amazon Detective is designed to collect and analyze events from data sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, Amazon GuardDuty findings, AWS Security Hub findings, and other integrated AWS security services, and maintains up to a year of aggregated data for analysis.

Amazon Detective can analyze events from various data types including IP traffic, AWS management operations, and potentially malicious or unauthorized activities. Detective constructs a graph model using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The pre-built graph model contains security-related relationships and offers contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance and the API calls made by a role during a specific time period.

Amazon Detective can analyze events from many separate data sources regarding IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model. The graph model is designed to distill log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is also prebuilt with security-related relationships, and summarizes contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance, and the API calls that a role has issued in a specific time period.

The Amazon Detective geolocation map shows you activity coming from newly observed locations that weren’t previously observed. This can help you to identify unusual activity and investigate if it is legitimate or suspicious.

The Overall API call volume shows you successful and failed calls in a specific time period and compares them to the established baseline. This can help you to identify patterns of abnormal activity and validate security findings.

Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub, as well as AWS partner security products, to help you investigate security findings identified in these services. Using these integrated services, you can go to Amazon Detective and see events related to the finding, drill down into relevant historical activities, and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate in Detective” and review insights into the relevant activity for the involved resource, giving you details and context to help you decide whether the detected finding reflects actual suspicious activity.

Amazon Detective supports security investigations for GuardDuty ECS and EKS Runtime Monitoring, providing enhanced visualizations and additional context for new threat detections. You can use the runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads. Detective supports the investigation of these new detections by including them into finding groups, visualizations, and other summaries for faster security investigations.

Through the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable. 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.